“All Users” in Entra ID means ALL users and guests
Just this week I made a mistake by adding an All Users group to eligibility to a PIM group and in doing so learnt a few things. Some things should have been obvious to me, but also things that are not necessarily obvious. I will take you through what I did and how you can learn from my mistake.
What I was trying to do
We use PIM and Conditional Access policies combined with Authentication Strengths and Authentication context to ensure admins have to use strong authentication methods in order to elevate to any privileged role. I will write another blog on exactly how we do this soon.
This week however, having chatted about Break-glass accounts and exclusion groups in Conditional Access, I thought I would combine the power of PIM for groups (formerly Privileged Access Groups) with Role-assignable groups and then an exclusion group for a test conditional access policy. By the way, a group doesn’t have to be a role-assignable group to be enabled in PIM for groups.
The idea was that the PIM group was empty but added to the exclusions list of the CA policy and because the group is marked Role-assignable (isAssignableToRole = true) and provides access to sensitive resources, in this case, excluded from a CA policy. Only privileged admins or owners can add members to the role-assignable group. I also wanted to make sure that PIM required approval from specific people in the organization when someone requested to be a member. This is something organizations might be doing manually currently.
Since I didn’t want to specify each user that would be eligible to be a member of the PIM group, I wanted to use an existing dynamic group which would contain all the users in my tenant automatically. Each user would still need to know the process for requesting membership of the PIM group and approvers would have to review the request and approve/decline it. So, I used a dynamic group that showed up in my tenant called “All Users”
Dynamic Groups in Entra ID
Microsoft’s Entra ID Groups have two ways in which the members are defined. They are “Assigned” where you add the specific members, either users, devices or a combination of both. The second way is by dynamically adding or removing members based on rules which define attributes that match criteria or not. Dynamic membership can apply either to user members or device members (not both). Dynamic membership is supported for security groups and Microsoft 365 Groups. Dynamic groups is a feature of the Entra ID P1 license.
The dynamic groups have dynamic rule properties and syntax which are evaluated against the users or devices to include or exclude them in the group membership.
All User
As an administrator of Dynamic Groups in Entra ID, you can create a group containing all users within the organization. This means that when users are added or removed from the tenant in future, they are added or removed from the group membership automatically.
Here’s the Microsoft Learn article that defines the rule syntax for an All users group.
There’s a “shortcut” rule syntax of simply “All Users” which equates to user.objectId -ne null.
There is a caveat and this is the first mistake I made. Because All Users evaluates user objects and guests are also user objects, this rule syntax included all guest accounts. This can be seen positively evaluated in the screenshot with one of the guests in my tenant.
Lesson 1: All Users == All members + All B2B guests
The other thing I thought was true of every tenant was that the All Users group existing by default. Turns out, the dynamic group in my tenant was created a few years ago by a colleague of mine and I was confused with the All Users and All Devices that do exist in Intune by default!
Lesson 2: "All Users" group doesn't exist in Entra ID by default - it must be created.
Dynamic group without guests
If you wanted to create a dynamic group with all users, but not include guests, create the group with the syntax
(user.objectId -ne null) -and (user.userType -eq "Member")
PIM Eligibility
The next thing that I learnt is that PIM for groups supports nested groups. So if a group is eligible for membership in another group, the members of the nested group can activate their membership through PIM. This is a good thing I suppose, and I was expecting it to work, so this test confirmed it.
Lesson 3: PIM for groups fully supports nested groups.
PIM Notifications
PIM informs administrators and other participants when something important happens in PIM such as when a role is assigned. These notifications are sent in the form of an email from mssecurity-noreply@microsoft.com. PIM sends emails to end users (guests too) when Owner or Member role is assigned. So in my case, hundreds of guests were sent a notification email which I didn’t expect to happen because the default notification is set as shown in the screenshot below:
I was contacted by one of our guest users because they were a little confused by the notification. They thought it was something on their tenant that I managed to configure remotely!
I should have disabled this setting.
Lesson 4: Disable assignee notifications if you don't want everyone to be spammed with the notification.
Finding Guests’ email addresses
After I found out that all the guests from my tenant were receiving the confusing notification email, I immediately removed the All Users eligibility from the PIM group, but I I needed to let them know that it was not intentional and that they could safely ignore the notification email.
To do that, I needed to extract all the email addresses from Entra ID for guest users.
If you navigate to All Users in Entra ID, you can certainly filter by “User type == Guest” and get a list of just the guests.
Once you have a filtered list in the portal, you can export a CSV by clicking on “Download users”. The download will contain the filtered list of users with a number of extra attributes included that are not visible by default in the portal. The “mail” attribute is what I needed to send my apology email to. I included all of my guests in the BCC field of the emails – I didn’t want everyone to see everyone else’s email address!
Lesson 5: Download CSV of filtered users to see mail attribute.
Cleaning up stale guests
Once I had sent my email out, I naturally received a few Non-delivery reports (NDR), notifying me that the address no longer existed or could not be delivered to. I will be using the NDRs to assist in my cleanup of inactive guests. There are also some clever PowerShell scripts such as Tony Redmond’s FindObsoleteGuestsByActivityV3.ps1 mentioned on his blog – Why It’s a Good Idea to Review and Remove Inactive Guest Accounts Annually | Practical365. Or the Microsoft MSIdentityTools commandlet “Get MsIdInactiveSignInUser”
Lesson 6: Review and remove inactive guests frequently.
Change control
The last thing I wanted to share with you is that some of the mistakes I made this week could have been avoided if the proper change approval process had been followed. I made a change in a production environment without consulting members of a Change Approval Board (CAB) and the outcome could have been catastrophic. It wasn’t but it could’ve been.
I know the importance of the change control process and generally follow it rigorously. Because I was “testing” something with what I thought was going to have minimal impact, I didn’t stick to the process.
Lesson 7: Stick to the process, it's there to protect you too.
These are the lessons I learnt or have been reminded of:
- All Users == All members + All B2B guests.
- “All Users” group doesn’t exist in Entra ID by default – it must be created.
- PIM for groups fully supports nested groups.
- Disable assignee notifications if you don’t want everyone to be spammed with the notification.
- Download CSV of filtered users to see mail attribute.
- Review and remove inactive guests frequently.
- Stick to the process, it’s there to protect you too.
I love to learn and share what I have learnt and in some cases, one makes mistakes to learn. Often the best lessons are those gained from making mistakes. There’s a saying in the product development world “Fail Fast” which encourages learning from failures. By trying to achieve goals, you are bound to make many mistakes, but at the same time you will learn new skills and insights. It’s not about failing for the sake of failing, but about learning and adapting quickly from small failures to improve.